Mark: Hello, everyone. This is Mark Stetler, CEO of CRINDATA. I’m with our fearless leader, Jim Freis, chairman of CRINDATA. We are going to discuss today third-party risk management and cybersecurity, the implications of those two issues with respect to financial institutions and their third-party service providers. Welcome, Jim. Thanks for joining me.
Jim: Great to be here, Mark.
Mark: Let’s start by talking about the regulatory context that the institutions and the third-party service providers find themselves in with respect to third-party risk management.
Jim: In principle, the concept is quite simple. When a bank or other financial institution relies on an external service provider for delivery of its products and services, the bank needs to oversee and manage those risks. In a simpler sense, you can outsource the service, but you can’t outsource the risk and responsibility.
Mark: Bring this down to practical level with us. What do you see going on in the financial services industry? The regulators have paid a particular amount of attention to this in the last year. The OCC says it’s one of their enforcement priorities, one of their six or seven most critical enforcement priorities. What are the regulators seeing that’s changing their mind or their emphasis on third-party risk management?
Jim: As a factual matter, the risk is going up. Why? Because there’s two trends. The financial services industry generally has been transformed in recent decades through telecommunications. In particular, IT, almost every new product development efficiency is related to IT systems. The way the financial institutions have done that increasingly is not through their own internal IT departments or not alone, but they’re relying on external providers.
That’s your software provider. It can be something as significant as the core banking system, the very aspect of what runs the debits and credits in your bank. It could be part of a new trend where the bank is not sourcing or meeting new customers through its traditional brick-and-mortar branch network, but rather is relying on a FinTech platform that brings new customers to that bank.
Mark: Talk about cloud computing in relationship to those relationships.
Jim: Cloud computing is something that is really changing the whole way the world looks at the use of information technology systems. The biggest aspect of moving from on-premise software servers to cloud and the flexibility is that it introduces new entities or additional entities that are your potential points of failure. It’s not just a question that your own servers can go down, but it’s an aspect of the software that you might be using to an external provider, your network connections to that provider, a different entity that’s involved in the hosting of your data. Any of them could have an operational disruption that could cause negative implications for your bank.
Mark: Before we start talking about business continuity and cybersecurity and events around those topics, give us a sense of what you’re seeing or are feeling about the relationships not only between institutions and their critical service providers. Let’s just have a running example through this discussion, that we’ve got an institution who uses a third-party service provider, a payment system.
ACH, wires, fed connection, whatever it is, smaller medium size bank uses a third-party service provider, but also then those service providers have downstream relationships which some people call fourth-party relationships vis-à-vis the bank they call subcontractor relationships. When we start talking about business continuity and cybersecurity, what are the fourth-party relationships with the subcontracting relationships? How do they relate to what we’re going to talk about?
Jim: This is one of the biggest challenges that banks face. You know the entity with whom the bank has directly contracted as its service provider. Just as banks are transforming the way they run their business to rely on external parties, many of those service providers in turn also rely on external parties or have external dependencies in the IT and telecommunications space.
Those parties can also change over time. The question for the bank is not just who is my direct counterparty, have I done appropriate due diligence on them, but what are the entities on which that third-party service provider relies, again, call them fourth-parties for this purpose, which can be a chain of fourth-parties. A fourth party relies on a fifth party, etcetera. Any one of which might be involved in a critical function, the failure of which causes a chain reaction, if you will, and a negative impact on the bank.
Mark: One other question around that, which is the cybersecurity aspects of business continuity. Again, this is the topic. It’s not like there aren’t other issues that can occur, service disruptions that don’t have anything to do with cybersecurity. With respect to the cybersecurity implications of that, let’s take that proverbial cloud provider as a service provider to a hypothetical payments system, and relate that to the chain of events that could occur that could be either meaningful or catastrophic to the financial institution customer and its customers.
In other words, what happens with respect to the financial institution, and then what happens or what are the knock-on effects to customers, for example, with a fourth-party failure? Let’s take the example of a cloud service provider experiences a breach that exposes PII, what happens up the line? Then we can talk about the proactive and reactive aspects and regulators’ expectations around that. Can we just set this up as an example and then we can use that as a go-forward?
Jim: Sure. I think we can parse this out in different ways and different steps. The first point, as you’ve suggested, is that customers of the bank for whom the bank has confidentiality obligations information with respect to those customers through an external service provider relies in a cloud system managed not directly by the bank, but by that service provider. If there were an exposure of that customer information, the bank has liability for that.
It has liability under the regulatory framework, it probably has notice obligations to its customers. I guess the first question for you is, does the bank know, or how would it know about that exposure? There’s enough incidents that we hear about through the press where there’s some type of a hacker or attack or there’s some mis-setting of a system that has a vulnerability where any individual or a hacker, if they have bad intent, can access that customer information at the third party.
Let’s say they made a copy of that customer data. How would a bank even know that their customer data were exposed while it was sitting with a third party? This is something that keeps banks up at night. The answer should be that you have established as part of your outsourcing relationship and the contractual obligations notice obligations upon that entity, and not just directly upon your service provider, but the service provider in turn with respect to any fourth parties or other subcontractors on which it relies.
Mark: Well, that’s fine in theory. Are the institutions ready and are they executing on plans that create what– let’s just call it chain risk. That’s what you and I call it in the real world. The chain risk of the institution’s relationship with the service provider, the payments company, and then that payments company’s relationship to fourth parties, in this case, it would be the cloud service provider. Are you seeing– obviously you’re talking to regulators quite often. You’re talking to institutions quite often. What is the current state of the technology around the institution’s business practices, business continuity practices, third-party risk management practices? Are they collecting this data? Are they using this data? Are their systems ready?
Jim: I guess the best way you could say is there’s room for improvement. A traditional approach that you would see is, again, nothing new expectations, regulatory expectations, clear guidance that have been in place for almost two decades here in the United States and the US leading a world push in terms of risk management in this regard. That you do not only oversee the outsourcing or reliance on third-party service providers when you enter into that contract, the decision to outsource, but you have ongoing monitoring.
The ongoing monitoring should include an understanding of how this may change, evolve over time with respect a sub-component of reliance on fourth-party service providers, as we’ve said.
Mark: What you’re saying is the aspects of mapping your risk could be better, or is that what I’m hearing?
Jim: They could be better in a number of ways. One is that they have focused on naturally the direct relationship with the third-party service provider. You don’t have the ability to compel detailed information directly from fourth-party subcontractors. You don’t-
Mark: Because you don’t have a contractual relationship with them.
Jim: Exactly. You rely on a pass through and it’s only as good as your direct service provider following up to manual process repeated. There’s a time lag aspect. This is one of the things why I emphasize so much the ongoing monitoring. If you follow normal industry practices, that once a year you update your file of your due diligence on your outside service providers or at least the critical ones. Then you have potential 12-month gap, just by definition as to how that might evolve over time.
In the digital world in which we’re living market volatility could be aspects, pandemic related, it could be natural disasters. They can change, the risk profile, the reliability of any of the parties in the chain. You are essentially bearing that risk for all of the time that you’re not overseeing monitoring a relationship, looking for potential disruption.
Mark: I’m assuming that at some point in this discussion you’re going to tell us how we could be better. In the meantime, we’re going to wrap up this section of the discussion with a final point to get your response on. The OCC as I mentioned before, been on this issue. There’s some joint guidance that’s, I think still proposed as of today around updating third-party service risk management issues.
Jim: The outsourcing oversight. Yes.
Mark: There’s also the new regulations around internet management, which we’ll talk about. From your discussions with regulators, I’ll preface this by saying the OCC was super clear in its regulatory priorities that were released for 2022. That is that this idea of chain risk was on their radar. It’s important to note that the OCC’s rate toward priorities are really short. It’s a half a page, seven or eight items, whatever it is. Institutions recognizing chain risk was one of the issues. I think it was third or fourth behind safety and soundness.
Just give us a quick view of your discussions with regulators and how important they think this is. We’ll wrap up this session. In the next session we’re going to talk about the specifics around business continuity and around cybersecurity and how proactively and reactively you would hope and expect that your institutions and third-party service providers would deal with those issues.
Jim: In terms of regulatory priorities, it’s quite simple. There’s some issues that never change. It goes change. It goes inherent to the question of what are the responsibility of the regulators to oversee safety and soundness, to oversee aspects of anti-money laundering for the past couple of decades here in the United States, some aspects of consumer protection. What is new to the list of regulatory focus priorities in the examination process is this third-party risk management and the oversight of the outsourcing.
It’s in parallel to the issuance of new enhanced regulatory obligations which specifically get to the aspect of incident reporting and making more information available to the regulators in close to real-time. It’s closing a gap that they’ve been worried about and how to implement that and how financial institutions are following up on that is one of the things that they’re most worried about now. All of the regulators are sending out teams, asking banks for the first time and a with a level of focus that they never have before. What are you doing to mitigate this risk?
Mark: That’s fantastic Jim. In the next session, again, we’ll talk about proactive and reactive issues around cybersecurity and business continuity, and we’ll see everybody then. Thanks a lot.
